Back to Windows registry forensics, course 3 we are covering the NT user.dat registry file. And in this section we're going to be covering recent applications, recent apps which is a sub key in the NT user. Dat hi file. What we've covered so far in course 3, a quick review, we've covered the recent docs sub key and we took a look at the most recently used the MRU lists and how we read those, how those are interpreted. We took a look at the type URLs subkey for Internet Explorer, URLs typed in or completed by the auto complete or the drop down box. We also took a look at user assist program execution by a specific user. In this section, we're going to take a look at the recent apps sub key. This also tracks recently used applications similar to user assist, but this key goes a little deeper as we're going to take a look at shortly. It does monitor the application usage. We will see GUID instead of the route 13 and each of these sub key, GUID will correspond to an application and this is going to show us applications and files that were executed through that specific application. The items we will be using in this section are going to be registered explorer, decode and the Ivan NT user. Dat HI file that we exported from our virtual machine images. So let's take a look, let's bring up registry explorer and if you haven't already done so please go ahead to file, load hive, navigate out to where you saved that into user. Dat file and click open and load the hive. Once we've loaded the hive, we're going to navigate to the key that we're looking for. So we're going to expand it, expand the route, we're going to expand software, we're going to expand Microsoft, we're going to expand Windows ,current version search and expand search and we see our recent apps sub key. Now when we highlight the sub key, we can see the information populated on the right hand side of the pen ,we have the program GUIDs. We also have file paths and we have the last access date and time and we have a launch count how many times the program was launched. Now, this is the top level of the recent apps key and this is files that have been accessed on the system. Now, when we expand the key, we see more GUIDs and each of these GUIDs sub keys directly under the recent apps corresponds to an application. Some of these GUIDs sub keys have additional sub keys. So we'll go ahead and expand those just so we can take a look. We see a recent items sub key appearing here and these are going to tell us the recent items that were accessed using the program with the GUID right above the recent app, the recent items folder. So let's take a look at what we got. When we click on each sub key, we can see additional dates and times and again we see a launch count, we see another last access time and again if we were going to interpret that, we would need to do so using the hexi decimal down here and it is a 64 bit Windows file time and these dates and times will correspond to what we saw and user assist. Now when we go ahead and expand the recent items sub key, you're going to see more GUIDs and this is Microsoft edge, Microsoft edge and we can see the last write time here. And if we go back and look at user assist, you will see that that time does in fact much. Now, when we go ahead and look at the recent items under Microsoft edge, we can see we have an untitled pdf. There was access through an E drive which depending on how many drives you have in your computer could be an indication of removable media. We can see a file that was accessed through Ivan's google drive. And opened with Microsoft edge. Microsoft edge will open pdf documents and we see an indication of again, an F drive and again these have individual last access times which we can decode using decode and we will do one in a moment as you go down, you can see actual files that were accessed through a particular application. So this gives us a little more, it's a digs a little deeper and gives us a little more information than we saw in the user assist subkeys. Recent apps will not contain as many entries as the user is this sub key and each of these recent items seems to have a limitation of 10 sub keys and this recent item is the control panel. And if you expand the recent items sub key under the recent apps key, you can see things that were accessed through the control panel. You see more entries here as we scroll through and a lot of these may look familiar from user assist and here we have chrome and underneath we have a recent items sub key. So you can see some of the actual documents and you notice in the file path, this is google drive. So this is giving you an indication of file stored on Ivan's google drive, which may be very important to your investigation. We can see exactly what was accessed or what is in this particular drive. And again with these sub keys were getting additional dates and times. If you notice from the recent items last write time, we have two scroll all the way back up here, from the recent apps last write time of 20 to 26 ,we see down here in recent items a later time. And when we look through the items under that sub key, we can see the time that corresponds to the last write time of the recent items parent directory is this one and we can see that it is on an F drive and it's an untitled pdf so we can gain a lot more information here. It helps us dive a little deeper into what we're looking for and it also is a way for you to cooperate your times and run counts that are shown in your user says sub key because each of these keys here does contain a date and time and it does contain a launch count, so you can use this to sort of validate your user assist findings. Let's do a quick demonstration with decode ,we're looking at the orphan crack in recent applications and we can see we have a launch count of one, we have our last access time and we can see down here we have the hexi decimal representation, a 64 bit Windows timestamp. Now I'm going to control C and copy that timestamp and go ahead and bring up dcode and I'm going to go ahead and paste it into dcode. The only caveat here because you do need to take these dashes out dcode does not like them. So once we've gone through and taken out all of our dashes and we dcode, we get a date time of June 13th at 21 57 49. Let's just move dcode out of the way and now let's go to our bookmarks common and navigate to user assist Can expand user assist. We're going to go down to the B F F sub key. CE BFF, going to expand that sub key. We're going to highlight count and in the name column we're going to type in OP H and we have orphan crack will come up. Now let's go back and bring up dcode And as you can see the dates and times match. And this is one way you can go through and validate your findings in user assist Yeah, We see a run count of one. Let's go back and look at often crack again in recent apps and we see we still have a launch count of one. We're getting our full path here with the F drive. And if we want to look at Microsoft edge And we go ahead and go back to use your assist and take a look at Microsoft edge. So in here we're looking at Microsoft edge, We have a launch count of 12. And when we look at our last access time we go ahead and copy out our last access time again with a control C we can bring up dcode, we can paste it in, you can follow the same process and take out the dashes, we can dcode the value and we have our date and time. We can move dcode out of the way go to our bookmarks, go to common, go back to user assists and we're looking at Microsoft edge by weekly And let's just type an edge. And let's bring up decode. We could see we have a counter of 12 which matches what we saw and our recent apps key. And we can verify again our date and time matches ,but what we didn't get to see here is what was access to via this application. So let's go ahead and go back to our recent apps Back to Microsoft edge and we can see what was accessed using Microsoft edge ,we can see we have an access on an E drive indication of removable media. We can see all these PDFs, there were access using Edge. We can see their dates and times they're full file paths and their file names. So this is very very useful information when you're doing a forensic examination .Now the only caveat to this, it was like I said earlier, it's not on every single version of Windows 10. If you want to use this to collapse your keys, collapse your sub keys you can do so and that will clean up your view. You guys don't have this ,but I wanted to show you I did a test on my surface Pro which is brand new and what I was able to find in my surface Pro. With some sub key called jump list data and it is also under the search sub key. And that would be let's negotiate from the top of the tree so we can see where it is exactly. We would expand route, we would expand software, we would expand Microsoft would scroll down and expand Windows current version go to search and in search we see a folder called jump list data. Now this is not going to give me quite the same in depth look at recent apps did, but it is showing me applications that were accessed. It is showing the actual applications in here that I ran And this information would correspond to user assist. So this would be a way to validate what you're seeing and user assist. Unfortunately, it's not showing me the documents that were executed using these programs, but that jump list data is under the search key and we'll give you some information regarding recently access programs and show you user application execution. And if we look at the Jump list data, if we look at the data, we can also calculate this date and time. We do not get a run count on this, which is unfortunate. But it is a way for you to validate your findings in user assist.
